The Tesla Roadster instrumentation CAN bus (running at 1MHz) supports a CAN bus message to lock/unlock the car as well as enable/disable valet mode and change the PIN. Authentication on this message is via simple user PIN code which is typically 4 digits (but can be up to 8 digits).
This PIN code is usually entered on the VDS by the user, and then transmitted in plain text on the instrumentation CAN bus to the VMS.
The CAN bus message used to lock/unlock the car, and enable/disable valet mode is:
ID: 0x102 B1: 0x0B B2: 0x00 = Activate Valet mode 0x01 = Deactivate Valet mode 0x02 = Lock car 0x03 = unlock car B3: 0x00 B4: 0x00 B5: PIN LSB B6: PIN B7: PIN (total 28 bits for PIN) B8: PIN MSB 4 bits = number of PIN characters (1-8) 4 LSB bits = PIN MSB
Note: Example PIN 1234 unlock is 0x0B, 0x03, 0x00, 0x00, 0xD2, 0X04, 0x00, 0x40
Note: Unlock/lock does not affect the immobilizer+alarm (fitted on vehicles outside North America)
PIN code change is also available.
Using a simple CAN bus tap, the 1MHz instrumentation CAN bus messages can be read. When the user enters the PIN code (for example to enable/disable valet mode), it is transmitted in plain text using the above message.
The instrumentation CAN bus is available at various points in the car, with the simplest being the engineering diagnostic connector in the passenger footwell of the vehicle.
The PIN code permits the following functions:
- Enable valet mode
- Disable valet mode
- Lock the vehicle
- Unlock the vehicle
- Cancel the alarm (via unlocking the vehicle) in North American vehicles
- Change the PIN code
On vehicles outside North America, a separate alarm system and immobiliser is used. That system is not affected by this PIN code, so functions 4 through 5 will have limited impact on these vehicles.
There is a separate physical key used to start the vehicle, and unlock the steering wheel, that is not affected by this vulnerability.
Once the PIN code has been discovered, the greatest concerns are:
- Cancelling a sounding alarm on North American vehicles
- Providing access to the trunk and glove compartment of a locked vehicle
- Malicious prank to enable valet mode
- Malicious prank to change the PIN code (possibly after enabling valet mode)
The most likely exploit would come at a valet parking station where a vehicle key could be easily copied and with access to the vehicle, a CAN bus logger installed in the passenger footwell. When the user returns to retrieve their vehicle, they disable the valet mode (via entry of PIN code on the VDS screen). At this point, the valet has a copy of the physical key as well as the PIN code to arm/disarm the vehicle alarm on North American vehicles.
There is no known mitigation for this issue (other than physical protection of access to the vehicle CAN bus).
Reported: 3 May 2017
Classification: Sensitive Data Exposure > Critically Sensitive Data > Password Disclosure
Vendor Response: Declined to address, and no fix for more than 1 year, so public release
Public Release: 3 Dec 2018